IBM Web Content Manager XPath Injection

`SEC Consult Vulnerability Lab Security Advisory < 20131227-0 >  
=======================================================================  
title: XPath Injection  
product: IBM Web Content Manager (WCM)  
vulnerable version: 6.x, 7.x, 8.x  
fixed version: -  
impact: high  
homepage: http://www.ibm.com/  
found: 2013-10-27  
CVE: CVE-2013-6735  
by: A.Antukh, S.Temnikov  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
"IBM® Web Content Manager is designed to accelerate web content development and  
deployment through Internet, intranet and extranet sites. This software enables  
users to create and publish content while IT retains control. Through advanced  
personalization, IBM Web Content Manager delivers the right information to the  
right audience when needed, providing an exceptional customer experience"  
  
Source: http://www-03.ibm.com/software/products/en/ibmwebcontmana  
  
  
Business recommendation:  
------------------------  
The discovered vulnerability can be exploited _without_ authentication and  
therefore pose a high security risk - it allows extraction of configuration  
data from the server. The impact of the XPath vulnerability isn't researched  
fully. SEC Consult suspects that it is possible to extract sensitive  
information that will be useful for further attacks. The recommendation of SEC  
Consult is to immediately install patches provided by the vendor.  
  
  
Vulnerability overview/description:  
-----------------------------------  
A typical URL for a host with installed WCM looks like this:  
http://[HOST]:[PORT]/wps/wcm/connect/[PATH]  
  
The "connect" servlet provided in the standard installation of IBM Web Content  
Manager parses the PATH element as follows:  
[PATH] = [LIBRARY]/[SITE_AREA_PATH]/[CONTENT]  
  
Due to insufficient validation, the "LIBRARY" element suffers from an  
XPath-injection vulnerability.  
  
An unauthenticated user is able to perform blind XPath Injection attacks e.g.  
get current application configuration, enumerate nodes and extract other  
valuable information from vulnerable installations of Web Content Manager.  
  
  
Proof of concept:  
-----------------  
The vulnerability is exploited due to improper validation of the LIBRARY  
parameter, which is parsed by the "connect" servlet.  
  
The most basic cases are presented below, and allow an attacker to manipulate  
logic of the request. The "false" clause causes an error, the "true" clause (if  
not defined explicitly) redirects an attacker to the  
"/wcm/webinterface/login/login.jsp" page.  
  
True clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='a  
False clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='b  
  
Knowing the difference between responses of the true and false clauses, it is  
possible to manipulate requests in order to extract the information. For  
example, if the following request returns TRUE, this would give an attacker  
information about the "name" property.  
  
http://[HOST]:[PORT]/wps/wcm/connect/' or (@ibmcontentwcm:name = "pznDT") or 'a'='b  
  
In a similar way, with use of the "jcr:like" and "jcr:contains" functions one  
can effectively restore the value for the "target" property.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerability is verified to exist in the 7.0 and 8.0 versions of WCM which  
are the most recent versions at the moment of writing the advisory.  
  
  
Vendor contact timeline:  
------------------------  
2013-12-04: Contacted vendor through [email protected].  
2013-12-04: Initial vendor response.  
2013-12-06: Issues will be verified.  
2013-12-20: Security bulletin released.  
2013-12-27: SEC Consult releases coordinated security advisory.  
  
  
Solution:  
---------  
Apply the Interim Fix PI07777  
www.ibm.com/eserver/support/fixes/fixcentral/swg/quickorder?productid=WebSphere%20Portal&brandid=5&apar=PI07777  
  
  
Workaround:  
-----------  
No workaround available.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF A. Antukh / @2013  
`